CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie

CNS2010 handout 8 :: introduction to number theory

1

computer and network securitymatt barrie

<[email protected]>


2

introduction to number theory

• Motivation: – To understand the security of Diffie-Hellman– To understand asymmetric crypto (e.g. RSA)– Slides 1..9 are background

• Notation:Z the set of all integersZ+ the set of all non-negative integersa|b a divides b i.e. there exists c є Z such that b=ac

-3|18, since 18 = (-3)(-6)173|0, since 0 = (173)(0)

p, q will be reserved for prime numbers

• The prime decomposition of n є Z+ is n = Π piei where ei є

Z+

– in other words, n = p1e1p2

e2p3e3 … pk

ek (note ei can be zero)


3

groups

• A Group (G, *) consists of a set G with a binary operation * on G satisfying:– The group operation is associative i.e. a*(b*c) = (a*b)*c– There is an element 1 є G called the identity element

• a * 1 = 1 * a = a for all a є G

– For each element a є G, there exists and element a-1 є G, called the inverse of a, such that a * a-1 = a-1 * a = 1

• A Group is commutative, if furthermore:– a * b = b * a for all a, b є G

• Example: the set of integers Z with addition forms a group – The identity element is 0 and the inverse of a is -a


4

rings

• A ring (R, +, x) consists of a set R with two binary operations arbitrarily denoted + (addition) and x (multiplication) on R where:– (R, +) is a commutative group– The operation x is associative i.e. a x (b x c) = (a x b) x c– There is a multiplicative identity denoted 1, with 1 ≠ 0 such that 1

x a = a x 1 = a for all a є R– The operation x is distributive over +, that is:

• a x (b + c) = (a x b) + (a x c) and• (b + c) x a = (b x a) + (c x a)

• The ring is a commutative ring if:– a x b = b x a for all a, b є R

• Example: the set of integers Z with addition and multiplication forms a commutative ring


5

fields

• A field is a commutative ring in which all non-zero elements have inverses.

• Fact: Zp is only a field if p is a prime number.

• For example, Zn = <0, 1, … n-1> where n is a composite (product of two primes) is not a field (it is a ring).

• e.g. Z6 = <0,1,2,3,4,5>

2 x 3 = 0 (mod 6)2-1 does not exist so Z6 is not a field – no element e such that 2 x e = 1 (mod 6)


6

gcd, lcm

• The greatest common divisor, gcd(a,b) of a, b є Z is the largest possible integer, d, such that d|a and d|b.– e.g. gcd(12, 18) = 6

• The least common multiple, lcm(a,b) of a, b є Z is the smallest integer, m, such that a|m and b|m.– e.g. lcm(12, 18) = 36

• In terms of prime factors, if a = Π pidi and b = Π pi

ei then

gcd(a,b) = p1min(d1,e1) p2

min(d2,e2) ... pkmin(dk,ek) = Π pi

min(di,ei)

lcm(a,b) = p1max(d1,e1) p2

max(d2,e2) ... pkmax(dk,ek) = Π pi

max(di,ei)


7

euclidean algorithm

• Suppose we wish to find gcd(a, b) with a ≥ b

•

Algorithm:

while b ≠ 0 do:set r ← a mod b, a ← b, b ← r

return a

• Example: gcd(4864, 3458):4864 = 1 . 3458 + 14063458 = 2 . 1406 + 6461406 = 2 . 646 + 114646 = 5 . 114 + 76114 = 1 . 76 + 3876 = 2 . 38 + 0

Hence gcd(4864, 3458) = 38


8

extended euclidean algorithm

• EEA: extended to find u,v such that gcd(a, b) = ua + vb

Algorithm:

INPUT: two non-negative integers a, b with a ≥ b

OUTPUT: d = gcd(a, b) and integers x, y such that ax + by = d

(1) If b = 0 then set d ← a, x ← 1, y ← 0 and return (d, x, y)

(2) Set x2 ← 1, x1 ← 0, y2 ← 0, y1 ← 1

(3) While b > 0 do :

q ← floor(a/b), r ← a - qb, x ← x2 - qx1, y ← y2 - qy1

a ← b, b ← r, x2 ← x1, x1 ← x, y2 ← y1, y1← y

(4) Set d ← a, x ← x2 , y ← y2 and return (d, x, y)


9

finite fields, Zn and Zp

• Again, Zp = <0, … p-1> where p is prime is a called a field – In a field we can add, multiply, take inversions, and the

commutative and distributive laws hold.

• If a and b are integers, then a is said to be congruent to b mod p, if p divides (a-b) i.e. p|a-b

a ≡ b (mod p)

• We can say b is a residue of a (mod p)

• The inverse of a є Z is b є Z such that

ab ≡ 1 (mod p)

• We can find a-1 by noting that gcd(a, p) = 1, since p is prime.


10

inverses

• So by the Extended Euclidean Algorithm (EEA) we can find u, v such that

ua + vp = 1therefore ua = -vp + 1i.e. ua ≡ 1 (mod p)so u (mod p) = a-1 є Zp

• Again Zn = <0, 1, … n-1> where n is a composite (product of two or more primes) is a ring.

• If a є Zn is such that gcd(a, n) = 1, then we say a is relatively prime to n. Then, by the EEA, there exists u є Z (the inverse) where :

ua ≡ 1 (mod n)


11

Z*, Φ(n)

• Define Zn* = {a є Zn | gcd (a, n) = 1}

– i.e. all the integers of Zn relatively prime to n (n is composite)

– otherwise known as the reduced set of residues (mod n)– in other words, all the elements which have inverses

• Since 0 is not є Zn*, Zn

* forms a multiplicative group

– a,b є Zn* implies ab є Zn

*

– a є Zn* implies a-1 є Zn

*

• We define Euler’s (“Oiler”) Totient Function Φ(n) as the number of elements in this set Zn

*

– If p is prime, then Φ(p) = p - 1– If gcd(m, n) = 1, then Φ(mn) = Φ(m) . Φ(n)


12

finding inverses with euler’s theorem

• Euler’s theorem states that for any a є Zn

– (a is relatively prime to n)

aΦ(n) ≡ 1 (mod n)

• This is Euler’s generalisation of Fermat’s little theorem– If p is prime and a is a positive integer not divisible by p then

ap-1 ≡ 1 (mod p)

• Now finding an inverse a-1 mod n is easy:

x = aΦ(n)-1 mod n

• Example: what is the inverse of 5 (mod 7)?– Since 7 is prime, Φ(n) = 7-1 = 6– x = 56-1 mod 7 = 55 mod 7 = 3


13

order, generators

• An element, a є Zn* has order d if d is the smallest

positive integer such that:

ad ≡ 1 (mod n)

• It may be that all of the elements in Zn* can be obtained

as powers of a single element, g, called the generator or primitive element of Zn

* :

Zn* = <1, g, g2, …., gΦ(n)-1> = <g>

• If it has a generator, we say Zn* is a cyclic group.

• It may be shown that Zn* is a cyclic group if and only if n

= 2, 4, pa, 2pa for odd primes p


14

exponentiation in Zn

• Can be done efficiently with repeat-and-square

• Algorithm:

INPUT: a є Zn and integer 0 ≤ k < n

(where k is t-bits in binary = Σi=0 ki2i)OUTPUT: ak mod n

(1) b ← 1. If k = 0 then return (b)(2) A ← a

(3) If k0 = 1 then b ← a(4) for i = 1 .. t do

A ← A2 mod n

if ki = 1 then b ← A . b mod n(5) return b

t


15

computing in Zp

• Let p be a large prime (~300 digits or 1024 bits).

• The following are easy to do in Zp :– Generate a random element. – Addition and multiplication.– Computing gr mod p, even if r is large.– Inverting an element.– Solving linear systems.– Solving polynomial equations of degree d in polynomial time d.

• Problems believed to be hard:– Let g be a generator of Zp. Given x є Zp find r such that x = gr mod

p. – This is known as the discrete log problem.


16

computing in Zn

• Let’s now consider Zn where n is instead a large composite (~1024 bits) which is a product of two primes (~512 bits).

• The following are easy to do in Zn :– Generating a random element. – Addition and multiplication.– Computing gr mod n, even if r is large.– Inverting an element.– Solving linear systems.

• Problems believed to be hard if the factorisation of n is unknown:– Finding prime factors of n.– Computing the square root (as hard as factoring n).– Solving polynomial equations of degree d.


17

hard problems in Zn

• Discrete Log Problem– Let g be a generator of Zn

*.

– Given x є Zn* find r such that x = gr mod n.

– This is known as the discrete log problem.

• Diffie-Hellman Problem– Let g be a generator of Zn

*.

– Given x, y є Zn* where x = ga and y = gb, find gab.

– This is known as the Diffie-Hellman problem.


18

discrete log problem revisited

• Given:Consider the finite field Zp

* = <g>

Let g є Zp be the generator, i.e. Zp* = <g, g2, …, gp-1>

gp-1 ≡ 1 mod p

• The discrete log problem asks how to find r given gr

• Example : Z11* = <1, 2, 3, …, 10>

– Consider : g = 2, g2 = 4, g3 = 8, g4 = 5, g5 = 10 = -1g6 = 9, g7 = 7, g8 = 3, g9 = 6, g10 = 1 (thus 2 is a generator)

– Now consider g = 3, 32 = 9, 33 = 5, 34 = 4, 35 = 1thus 3 is not a generator of Z11

* - order 5 not order 10


19

diffie-hellman key exchange

Alice Bobp, g, ga (mod p)

gb (mod p)

Computes gab (mod p) Computes gab (mod p)

Eve ???

Only knows p, g, ga, gb


20

diffie-hellman key exchange

• Protocol:Consider the finite field Zp

* = <g>

Let g є Zp be the generator, i.e. Zp* = <g0, g, g2, …, gp-1>

gp-1 ≡ 1 mod pg and p are public information

(1) Alice : Alice chooses a random large integer a є Zp

(2) Alice → Bob : Alice sends Bob ga (mod p)(3) Bob : Bob chooses a random large integer b є Zp

(4) Bob → Alice : Bob sends Alice gb (mod p)(5) Alice and Bob : compute gab

: Alice computes (gb)a = gab (mod p): Bob computes (ga)b = gab (mod p)

=> Alice and Bob now share secret gab


21

strength of diffie-hellman

• The strength of Diffie-Hellman is based upon two issues:– given p, g, ga, it is difficult to calculate a (the discrete logarithm

problem)– given p, g, ga, gb it is difficult to calculate gab (the Diffie-Hellman

problem)– we know that DL → DH but it is not known if DH → DL

• Essentially, the strength of the system is based on the difficulty of factoring numbers the same size as p.


22

attacks on discrete log

Question: – Given: G=<g>, gn = 1, y = ga where 1≤ a ≤n-1

– Find: a = logg(y)

• Most obvious algorithm: exhaustive search

Algorithm:– Compute g, g2, g3, … until we find ga = y (i.e. a)

Problem: – computation is O(n) – i.e. slow


23


Question: – Find a = logg(y)

• Baby-step giant-step (square root) algorithm• A time-memory tradeoff of the exhaustive search

method.

Algorithm: Let m = floor(√n)Create a table containing j, gj (j = 0 .. m-1)Sort the table by gj

Compute g-m

Set γ = yfor i = 0 .. m-1

1. if γ is in the table then break;2. Else set γ = γ g-m and loop

output a = j + im


24

example of baby-step giant-step

• Let p = 113, g = 3 is a generator of Z113* of order n= 112• Question: Find log357 :

Set m ← floor(√112) = 11 j 0 1 8 2 5 9 3 7 6 10 4

3j mod 113 1 3 7 9 17 21 27 40 51 63 81

Now g-1 = 3-1 mod 113 = 38 as (38 . 3) = 1 mod 113So g-m = 3811 mod 113 = 58

Next γ = y g-mi for i = 0, 1, 2 …i 0 1 2 3 4 5 6 7 8 9γ = 57.58i mod 113 57 29 100 37 112 55 26 39 2 3

Since y g-9m = 3 is in the table (g1), we output a = j +im = 1 + 9.11 = 100 i.e. 57 = 3100 or log357 = 100

Baby Step

Giant Step


25


• Baby-step giant-step is a time-memory tradeoff of the exhaustive search method (which is obviously O(n)).– Requires O(√n) storage for group elements– Requires O(√n) multiplications to construct– Requires O(√n log n) to do sort of table– Loop takes O(√n) multiplications and O(√n) table lookups

• Under the assumption that group multiplication takes longer than log n comparisons– the running time complexity of baby-step giant-step is O(√n) – the storage complexity is O(√n)

• Pollard-rho is another, more efficient attack on DL.


26

references

• Handbook of Applied Cryptography– read §1, §2-2.4.4, §2.5 - 2.5.3

• Stallings– §7

Documents

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie